feat(ve_identity): Add Identity Service integration with OAuth2, API Key and Workload authentication#263
Merged
cuericlee merged 10 commits intovolcengine:mainfrom Oct 31, 2025
Conversation
…Key, and Workload authentication This commit introduces a comprehensive integration with Identity Service, enabling ADK agents to securely manage authentication and credentials. ## Key Features ### 1. Unified Authentication Framework - **Three Authentication Types**: - OAuth2 (M2M and USER_FEDERATION flows) - API Key authentication - Workload access token authentication - **Flexible Configuration**: Simple factory functions (`api_key_auth()`, `oauth2_auth()`, `workload_auth()`) for easy setup ### 2. Tool Integration - **VeIdentityFunctionTool**: Funtion tool wrapper with built-in Identity authentication - **VeIdentityMcpTool**: MCP tool wrapper with built-in Identity authentication - **VeIdentityMcpToolset**: Complete MCP toolset management with automatic credential handling ### 3. Authentication Processing - **AuthRequestProcessor**: Handles OAuth2 flows in agent conversations with support for: - Custom OAuth2 auth pollers - Callback URL handling - Token polling with configurable timeout - Mock auth poller for testing - **Auth Mixins**: Reusable authentication logic (`VeIdentityAuthMixin`, `ApiKeyAuthMixin`, `OAuth2AuthMixin`, `WorkloadAuthMixin`) to avoid code duplication ### 4. Token Management - **WorkloadTokenManager**: Manages workload access tokens with: - Automatic caching in session state - Token expiration handling - Support for JWT, user ID, and workload-only authentication modes - Automatic token refresh ### 5. Identity Client - **IdentityClient**: Low-level async client for VolcEngine Identity Service API with: - OAuth2 credential provider management - API key credential provider management - Workload token retrieval - OAuth2 token and API key fetching - Dynamic Client Registration (DCR) support ### 6. Data Models - **OAuth2TokenResponse**: Structured response for OAuth2 token requests - **WorkloadToken**: Workload token with expiration tracking - **OAuth2AuthPoller**: Abstract base for custom token polling implementations - **DCR Models**: Support for RFC 7591 Dynamic Client Registration Protocol - **Authorization Server Metadata**: RFC 8414 compliant metadata handling ### 7. Utility Functions - **is_pending_auth_event()**: Detect pending authentication requests in ADK events - **get_function_call_id()**: Extract function call IDs from auth events - **get_function_call_auth_config()**: Extract auth configuration from events - **generate_headers()**: Convert credentials to HTTP authentication headers
cuericlee
reviewed
Oct 27, 2025
Collaborator
cuericlee
left a comment
cuericlee
left a comment
There was a problem hiding this comment.
Add more unit test case for public methods.
cuericlee
reviewed
Oct 27, 2025
Collaborator
cuericlee
left a comment
cuericlee
left a comment
There was a problem hiding this comment.
add usage of 3 type auth as docs of identity into https://github.com/volcengine/veadk-python/tree/main/docs/content
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a comprehensive Identity Service integration for ADK agents, enabling secure authentication and credential management through three authentication methods: OAuth2, API Key, and Workload access tokens.
Key Changes:
- Unified authentication framework with factory functions for easy configuration
- Tool wrappers (
VeIdentityFunctionTool,VeIdentityMcpTool,VeIdentityMcpToolset) with built-in authentication - OAuth2 flow handling with configurable polling and callback support
- Token management with automatic caching and expiration handling
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
utils.py |
Utility functions for authentication event detection and credential header generation |
token_manager.py |
Workload token lifecycle management with session state caching |
models.py |
Data models for OAuth2, DCR, and workload tokens with validation |
mcp_toolset.py |
MCP toolset wrapper with automatic credential handling and session management |
mcp_tool.py |
Individual MCP tool wrapper with Identity authentication support |
identity_client.py |
Low-level async client for VolcEngine Identity Service API operations |
function_tool.py |
Function tool wrapper that injects credentials into wrapped functions |
auth_processor.py |
OAuth2 authentication flow processor for agent conversations |
auth_mixins.py |
Reusable authentication mixins to avoid code duplication across tool types |
auth_config.py |
Authentication configuration classes with validation and factory functions |
__init__.py |
Module exports and public API surface |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Fix Non-standard docstrings - Remove veadk prefix in logger
loveyana
force-pushed
the
feat/identity-integration
branch
from
57bb133 to
e6f222c
Compare
…resh Add unit tests for ve_identity auth_config, function_tool, mcp_tool, and mcp_toolset modules. Updated IdentityClient credential refresh logic to support fallback to VeFaaS IAM credentials if environment variables are not set, improving robustness in cloud environments.
loveyana
force-pushed
the
feat/identity-integration
branch
from
cad97e5 to
3561379
Compare
Introduces documentation for Agent Identity authentication, including product overview, API Key outbound, OAuth2 M2M outbound, and OAuth2 USER_FEDERATION outbound.
Added VeIdentityConfig to global settings and improved region handling for Agent Identity authentication. Updated configuration files and environment variable documentation.
loveyana
force-pushed
the
feat/identity-integration
branch
4 times, most recently
from
39b7dc7 to
10f29fd
Compare
cuericlee
reviewed
Oct 30, 2025
| export VOLCENGINE_SESSION_TOKEN="your-session-token" # 可选 | ||
| ``` | ||
|
|
||
| 在 VeFaaS 环境中,Agent Identity 会自动从 `/var/run/secrets/iam/credential` 读取凭证。 |
|
|
||
| ### 方式一:使用内置 Vendor(推荐) | ||
|
|
||
| 选择提供商类型:**Google**、**GitHub** 或 **Coze**,填写: |
Collaborator
There was a problem hiding this comment.
add Lark as provider, Lark, Coze, Google, Github
| ### 方式二:使用 OIDC 配置 | ||
|
|
||
| 选择提供商类型为 **自定义**,填写: | ||
| - 发行者 URL:OIDC 提供商的 Discovery URL(如 `https://accounts.google.com/.well-known/openid-configuration`) |
Collaborator
There was a problem hiding this comment.
Use identity OIDC of Lark/Coze instead
Contributor
Author
There was a problem hiding this comment.
Neither of them supports oidc
| ) | ||
| toolset = VeIdentityMcpToolset( | ||
| auth_config=auth_config, | ||
| connection_params=StdioServerParameters( |
Collaborator
There was a problem hiding this comment.
Using StreambleSSE and MCPServer of https://ecs.mcp.volcbiz.com/cloud_assistant/mcp instead to support existing OAuth MCPServer.
veadk/agent.py
Outdated
| collect_runtime_data: bool = False, | ||
| eval_set_id: str = "", | ||
| save_session_to_memory: bool = False, | ||
| auth_request_processor: AuthRequestProcessor = AuthRequestProcessor(), |
Collaborator
There was a problem hiding this comment.
@yaozheng-fang check if this additional field impact existing agent.run?
loveyana
force-pushed
the
feat/identity-integration
branch
3 times, most recently
from
0657344 to
08db89d
Compare
Updated OAuth2-related classes and functions to make 'auth_flow' and 'scopes' parameters optional, allowing control plane defaults to be used if not provided.
loveyana
force-pushed
the
feat/identity-integration
branch
2 times, most recently
from
17120a5 to
9314c09
Compare
…modules Eliminated unnecessary logger.info statements from IdentityClient and WorkloadTokenManager to reduce log verbosity and improve clarity. No changes to core logic or functionality.
loveyana
force-pushed
the
feat/identity-integration
branch
from
15a63e8 to
1ba91e8
Compare
…dentity dependency ## Problem Agent class had a hard dependency on Agent Identity's AuthRequestProcessor, causing all agents to depend on Agent Identity even when authentication is not needed. This violates the Dependency Inversion Principle and could break existing agents. ## Solution Introduce an abstract processor layer following the Dependency Inversion Principle: 1. Created `veadk/processors/` package with: - `BaseRunProcessor`: Abstract base class for runtime processors - `NoOpRunProcessor`: Default no-op implementation 2. Modified `veadk/agent.py`: - Added `run_processor: Optional[BaseRunProcessor]` field - Changed dependency from AuthRequestProcessor to BaseRunProcessor - Initialize with NoOpRunProcessor by default - Updated `run()` method parameter from `auth_request_processor` to `run_processor` 3. Updated `veadk/integrations/ve_identity/auth_processor.py`: - Made AuthRequestProcessor inherit from BaseRunProcessor - Renamed main method from `with_auth_loop` to `process_run`
Eliminated the unused _NoOpAuthProcessor import and reference from ve_identity/__init__.py. Also removed a trailing blank line in processors/__init__.py and added a missing comma in NoOpRunProcessor's decorator signature for consistency.
cuericlee
approved these changes
Oct 31, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit introduces a comprehensive integration with Identity Service, enabling ADK agents to securely manage authentication and credentials.
Key Features
1. Unified Authentication Framework
Three Authentication Types:
Flexible Configuration: Simple factory functions (
api_key_auth(),oauth2_auth(),workload_auth()) for easy setup2. Tool Integration
3. Authentication Processing
AuthRequestProcessor: Handles OAuth2 flows in agent conversations with support for:
Auth Mixins: Reusable authentication logic (
VeIdentityAuthMixin,ApiKeyAuthMixin,OAuth2AuthMixin,WorkloadAuthMixin) to avoid code duplication4. Token Management
5. Identity Client
6. Data Models
7. Utility Functions